Overcoming Smart Grid Security Obstacles

Posted on February 21st, 2011 by

Josh Wepman, of SAIC, discusses some of the new security requirements a company might need as they prepare for more intelligent assets and a smarter grid.

Full Transcript:

Ben Lack: I’m with Josh Wepman of SAIC. Thanks so much for being with us. I appreciate it.
Josh Wepman: My pleasure.
Ben Lack: Energy security is a big issue right now with the evolution of the smart grid. You guys have some skills in technology and experience in this industry. I want to get your thoughts on what types of security issues are out there, maybe a top two or three, and then how are you guys solving those issues with the solutions that you’re offering your customers.
Josh Wepman: Sure. My personal view is that there’s a new risk for a file coming from the digitization of assets. A lot of field technologies didn’t use to have a digital profile. To create an impact you need a proximity, you need a physical access to those devices. Now with the digital profile, there’s all new ways to attack them and interested to do so. So, I would say the number one issue is really understanding the investment, and the change in the capabilities, and the change in the risk profile that comes with them. Our view is that security has to be, first, that top-down view of understanding your local risk, your local scope, your local appetite for change, and understanding the consequence of failure, ultimately.
Ben Lack: Is that the same for all the clients that you work with or is it really a case-by-case basis?
Josh Wepman: It’s the absolute opposite of the same for everybody. The technologies maybe the same, but the role that they play in an organization, the rate at which they’re deployed, and ultimately the level of appetite for risk or the acceptance of risk, is absolutely different.  It’s a very intimate experience for each organization. So, when we talk about standards and applying standards, the best we can do is guidelines to help people think about how they manage their organizational risk. It’s very different for every single organization.
Ben Lack: And so what types of process that you have in-house that help you help the customer identify what those opportunities or issues are, and ultimately, how to solve it?
Josh Wepman: As SAIC energy environment and infrastructure, we’re not just cyber security people. We’re power systems engineers. We’re business consultants. And so, we have a very strong view of what are the new capabilities, what are the new value propositions that they bring, and what are the new risk profiles they bring along. What we find is, we know better than many of our clients on what the consequences of some of these investments are. So, we’re really helping to lead that conversation of what is the consequence of failure; what is the un-expectable outcome that has few managed against; and ultimately how do you take standard cyber security processes, technologies, operational management procedures; how do you leverage those to manage against those personal risks and personal consequences.
Ben Lack: Are there certain solutions that are typically fairly common?
Josh Wepman: Yes. I think you can separate them into the technical domain and the operations and management domain, right?
Ben Lack: Right.
Josh Wepman: On the technical side, everyone’s going to apply encryption, everyone’s going to apply access controls in these things. You have to be those with a sensible way to manage risk, right? But, we, as an industry, tend to over focus on the technology. We tend to over focus on all of the work to get to day zero, to commission an asset that we can believe in to be secure. The problem is, this is going to be around for twenty five years; so, there’s this whole ‘how do I maintain the efficacy of that security investment in day three, in month five, in year seven.’ There’s a lot of people processes and tools that, traditionally, this industry hasn’t had a lot of maturity in. And that’s nobody’s fault. But those are the kinds of challenges that we need to manage. So, everyone here in this conference is offering some kind of technical solution– and that’s all great. But, information security twenty years ago is awful lot different than it is today. And twenty years from now, it’s going to be very different. So, we can invest in great technologies, but it’s our ability to view the problem, to identify challenges going forward, and to identify those issues, and manage those issues in an on-going basis — that’s where lasting security will come from. You saw that in the DOE-FOA grants. Everyone has to build security into their program and not just for the project but throughout the entire life cycle. So, I think there’s starting to become a real acceptance that security is: We like to talk about technology. We get excited about technology. It’s a technology that I like as much as anybody. But the real lasting security method to see in investment comes from the operational life cycle on the other side. So, we can’t buy security from people. We need to integrate security into how we operate our new investment.
Ben Lack: Let’s talk about integration first. What types of time frame does it take to get this types of solution integrated into a system infrastructure?
Josh Wepman: Well, investing in security and integrating security isn’t one thing. What we know about the world of cyber security is the business case to do everything, everywhere doesn’t exist, right? If I secure everything, everywhere, I will no longer have a business case for any kind of action. And we want to bring some progress. So, we need to find the most important problems, the largest risk, and we want to address that risk. So, how long does it take to integrate security is… I’m trying to think of a good analogy, that’s a big complicated question that incorporates all manner of things. So, we should simplify the conversation to ‘What are our risks and what does it take to integrate solutions to those risks.’ For example, identity in access management; or a better example is we’re putting all these field assets, these digital control field assets beyond the sub-station where we don’t have a good presumption of physical security. So, we need to be able to identify when someone’s tampering with all these assets. That is an integrated security solution that we can bring forward to manage a real problem that has tractable impact in a consequence of failure to these organizations. Cyber security is not a mystery. It’s a process, right? It’s a process of asking the right questions and applying the right best practices in leadership and concepts to solving the challenges that we identify. And everyone’s challenges are a little bit different. NIST has put together a fine set of catalogue controls, the Department of Homeland Security has a catalogue of controls– It’s all a great amount of leadership for how we could go about solving certain kinds of problems if we could layer on top of that, the domain knowledge. What does it mean to generation, transmission, distribution, to metering to home integration? If you ask those challenges, you identify those consequences, and you know what parts of security catalogue to integrate in, and what parts are either not germane, not worth the investment, not a priority. Where we have to pick and choose what we can and can’t do.
Ben Lack: I’m curious to know why this industry is so interesting for you personally and why are you doing what you’re doing.
Josh Wepman: I have a family, right? I have a family. I have nieces and nephews. I want them to have the benefit of a modernized secure energy delivery system in the future. I mean, this is something that’s personal for me. I don’t do this because it’s good business. I do this because I’m proud to get up in the morning and tell people I made a little bit of a difference in the world today, helping secure the future of energy. I think everyone around here, if you look around, everyone believes that. Everyone believes that this is something worth doing in a societal concept not just a corporate context.
Ben Lack: I appreciate so much you joining us today. Thank you very much. I appreciate the experience that you share with us.
Josh Wepman: My pleasure.

Related Posts:

Tags: , , , , , , , ,

Spam Protection by WP-SpamFree